How To Recover a Hacked WordPress Site

The phone rang and my heart sank. I answered and heard the distressed voice of a client, explaining that her customers were calling and complaining that the WordPress website for their business was hacked. Complaints of damage to a customer’s computer because of a virus and claims of a lost photo collection trickled in and I knew we had a mess on our hands. Several days and a lot of extra hours later, we cleaned up the mess that had targeted more than 30 of the WordPress sites we were servicing.

Through that trial by fire I learned a lot more about WordPress security than I had ever expected. Today, in this WordPress tutorial, we’re going to review the process I recommend you follow for recovering from a WordPress attack and then look at steps you can take to prevent an attack altogether.

The Road To Recovery

Depending on the size and scope of the attack, knowing where to begin can be the hardest part. While specific details will vary the following is a general, principled-based outline that will get you through the majority of all compromises.

Backup - Even though the site is infected, it’s important to secure a backup just incase things go from bad to worse. Get a complete backup, including all your database (that means any non-Core WordPress tables added by plugins). Downloading all files and a complete SQL export via PhpMyAdmin is one way to go. Another great (and faster) solution is BackupBuddy. Don’t skip this step.

Change Passwords & Access Keys - Before you start your clean-up, go in and change the WordPress admin and database passwords and reset the WordPress Secret Keys in the wp-config.php file to make sure that anyone with unintended access is kicked out.

Run Scanners - Our list of compromised sites was hosted on RackSpace Cloud Sites. Accordingly, I was able to use the free Cloud Sites WP Scanner plugin to identify compromised files in WordPress. Another option is the Sucuri Malware Scanner. The idea with a scanner is to save time and point you to any obvious areas of compromise. Scanners are particularly helpful for identifying database-level compromises. Don’t rely on it entirely, though. After a scan, move on to the next step.

Reinstall WordPress - Delete all of the files in your WordPress directory except wp-config.php and the wp-content directory. Then, download a fresh copy of WordPress and upload it in place. Edit the wp-config-sample.php file, replacing it’s sample values with the actual database values from the current wp-config.php file. Then, delete the current file and replace it with your own. If you know exactly what you’re looking for and can identify any compromises within the file you can leave the file intact – if you’re not sure, though, it’s better to be safe than sorry.

Review Content Folder – Look for any suspicious looking folders in the wp-content directory. A “cache” folder can be a guilty culprit, even if you’re using a caching plugin. Inspect folders for content that doesn’t appear to belong. If you’re not sure, scrap it. You can always bring it back via your backup.

Review & Reinstall Existing Plugins - With the core WordPress files safe the next step is to review the plugins. Identify any plugins that you’re not currently using and remove them entirely. Next, one by one, deactivate, delete, and then reinstall and activate any currently active plugins. This can be a bit of a tedious process, especially for sites with a lot of plugins. Again – if you’re sure of the source of the compromise you can save time on this part of the process. If you’re not sure, though, don’t risk it.

Review Themes - Remove any extra themes that aren’t being used, including the default themes. Next, carefully look through your theme files, looking for any suspicious lines of PHP or references to javascript files. They are typically found in the header.php and footer.php files. As attacks get more complex, though, expect them to show up in even more difficult places to identify (such as your functions.php file).

Check Google’s Webmaster Tools - In recent years, Google has taken the initiative to identify and flag sites that have experienced a security compromise. This happened to several of our sites early on that had gone unnoticed for a few weeks (a very bad idea). If you haven’t already, log in to Webmaster Tools and claim your site and check for any warnings. If there is a warning in place, submit a request for them to check again and remove the warning.

It’s a long and painful process, but it needs to be done. A compromised site unchecked only gets worse over time. For more detail on the topic, take a look at the “My site was hacked” FAQ on the WordPress Codex.

An Ounce Of Prevention

If you’ve recovered from an attack or you haven’t been attacked yet, the most important thing to do now is focus on prevention. It’s much easier to prevent a compromise to begin with than recover from it after the fact. Here are some steps you can take:

Regular Backups - Make sure that you have a regular backup method that provides a complete backup of your WordPress files and your database. Have a weekly backup at a minimum, with a daily backup (of at least the database) as the ideal. BackupBuddy is an excellent option.

File Change Monitoring - One extra layer of protection that has worked well for us is adding a plugin to monitor file changes. On an active site this can be a pain. But on a site with little activity, it’s an excellent tool. WordPress File Monitor Plus is the best plugin I’ve found so far.

Scan Local Machines – If you or your clients are using a Windows-based machine it is important to do a security scan, particularly on any machines with WordPress Admin or FTP level access to the site. Unfortunately, this is a relatively common source of compromises. Lifehacker offers a list of malware removal tools to get you started.

Move To Managed WordPress Hosting - Back when I first started dealing with compromises, managed hosting wasn’t a viable option. Today, though, with folks like WPEngine.com and Zippykid.com in the business, it is an excellent option. They provide automatic, daily backups (and restoration) and, for WPEngine, they specialize in system security and clean-up in the event that a compromise does occur. Check out the WPEngine review right here on WPHub.com.

Note: If you’re interested in an even more in-depth approach to compromise prevention and WordPress security in general, take a look at the Locking Down WordPress guide on CodePoets.

And that’s that! Do you have a hacking story to share or a question about a current situation? Talk to us in the comments below.